The invention relates to a motor vehicle. The motor vehicle has a communication device for wireless data transmission between firstly the motor vehicle and secondly a vehicle-external appliance and/or another motor vehicle. By way of example, not limitation, the communication device may be a mobile radio module or a car-2-X or car-2-car communication module. Furthermore, a processor device is provided in the motor vehicle, to execute application programs. In this case, the application programs can interchange data using the communication device.
Such a vehicle is vulnerable to computer viruses and other “malware”, which can be transferred to the motor vehicle from outside and are then executed by the processor device as part of an application program or as independent malware.
This is particularly critical in the case of a motor vehicle that is meant to be capable of accomplishing driving tasks autonomously or at least semiautonomously (in piloted fashion). In this context, driving tasks are the longitudinal guidance and/or the transverse guidance of the motor vehicle. A driving task may comprise automatic refueling or parking, for example. Another aspect is the automated accomplishment of tasks relating to payment after a refueling operation, for example, by online payment. In the years to come, an increase in such automated accomplishment of tasks by a motor vehicle can be expected. Drive-by-wire systems are also becoming increasingly available, i.e. the brakes and the steering are operated independently of the mechanics by an electronic controller. The control signals from the controllers are influenced by characteristic maps, sensors and software.
Motor vehicles of the type described are particularly susceptible to manipulation by a malicious application program. Influence from outside means that functions in the drive components and in the sensors can become flawed. There is then the associated danger to other road users and also to passengers of the motor vehicle in question. Malware can consciously influence the vehicle behavior, can spy out personal data from the passengers and can access control loops or characteristic maps from outside and thus also influence a drive-by-wire system, for example.
In this connection, DE 101 23 475 A1 discloses a multimedia system for a motor vehicle that has a vehicle computer on which software for the interaction of the vehicle components with peripheral devices is installed. In logical isolation therefrom, an application computer is provided that allows a user to access external multimedia services, to which end the application computer executes appropriate applications, i.e. application programs. The isolation between the vehicle computer, which has access to controllers and other components of the vehicle-internal network, and the application computer, which is in contact with the outside world, is provided by a firewall. The vehicle computer and the application computer can interchange data via this firewall if this is permitted by a corresponding filter rule of the firewall.
The application computer with the application programs, which communicate with external data services, forms a first communication zone, for which particular rules apply for the data interchange with the external data services. The vehicle computer with the controllers networked thereto on the other side of the firewall forms a second communication zone, which is reached from outside the motor vehicle only through the firewall. A disadvantage of using a firewall is that it does not protect against malware that manages to manipulate in the first communication zone an application program that is registered in the firewall as a permitted application program. A firewall also does not protect against operating errors, that is to say, for example, when a mechanic in a workshop uses a harmless application program to access the vehicle computer in the second communication zone through the firewall, for example in order to reconfigure a controller. If a configuration error is made in this case, this may likewise result in an undesirable driving behavior for the motor vehicle without this having been able to be prevented by the firewall.
In connection with car-2-car communication, that is to say data interchange with another motor vehicle, there is the danger that this other motor vehicle will, e.g. owing to a faulty transmission unit, transmit safety-relevant misinformation to the ego motor vehicle, such as a futile command during an overtaking maneuver, as a result of which the ego motor vehicle will sometimes immobilize itself.